The best way to deploy windows updates according to my experience is by using Automatic Deployment rules.
To setup a working Deployment rule there are few configurations and settings that need to be in place and working without errors.
1. Software Update Point (SUP) : Products and Sync Schedule
2. Site System role : Proxy Account
3. Device Collection : Query based collection
4. Client Settings
5. Automatic deployment rule
2. Site System Role : Proxy Account
In case if there is a proxy server used to access internet, we need to configure the Account which has access to internet so that the updates get downloaded.
Under \Administration\Overview\Site Configuration\Servers and Site System Roles go to the properties of Site System to configure Proxy Account.
3. Device Collection : Query Based
For this you need to have a properly planned Active Directory (AD) structure.
Lets say we have a separate Organizational Unit (OU) for Servers and another OU for Computers (user PC).
When a new Server is joined to domain you place the Server Account (computer account) in the Servers OU. Same goes for user PC’s
Here we will focus on Servers.
Now we create a Device collection based on the OU and Operation System installed on server.
Under \Assets and Compliance\Overview\Device Collections\ Right click on Device Collections and Select Create Device Collection
4. Client Settings
Now we need to setup a custom client settings for in general “Server” device collection
Under \Administration\Overview\Client Settings create a new Device Settings with following as the values.
Note: Here I am showing settings which effect the update deployment.
Now we need to apply these settings to Device Collection that we created (Windows Server 2008 R2 Dyn Collection).
Right Click on the Device Settings and Select Deploy option, Select the Collection that we created and complete the wizard.
5. Automatic Deployment Rule
This page is very important and make sure you have done proper selection, based on the values specified here the updates will be downloaded.
Note: The value for Title is specified as x64, which means any updates which has “x64” in title will be selected, because we generally use x64 bit OS in production.
On schedule page, in the case of updates deployment to server I have selected “Do not run this rule automatically”
Selection of this option depends on how you plan to deploy newly released updates to servers.
If “Do not run this rule automatically” is selected, we need to make sure that we run this ADR manually whenever we are comfortable with newly release updates and want to include those updates in Update Group created by this rule.
In case if we are targetting User PC’s device collection, then the proper selection would be “Run this rule after software update point Sync”
Remember we configured Sync Schedule in 1st section (SUP), when that sync runs on schedule this Automatic Deployment Rule will run and newly released update will be downloaded and included in Update Group.
Complete the Automatic Deployment Rule Wizard.
Next, Run the ADR, right click and select Run Now option
This will create a new “Software Update Group” this group contains the updates that are found by the rule.
Use CMTrace and wsyncmgr.log (Sync), Ruleengine.log and Patchdownloader.log (Automatic Deployment Rule) these logs are present on SCCM server.
Once the Server/Client PC receives new client settings, the Update scan and deployment on updates will start as per defined in client settings.
To force Configuration Manager client to download new Policy, use “Configuration manager” found in control panel under the Actions tab and Run “Machine Policy retrieval and evaluation cycle” wait for couple of minutes, Run “Software update scan cycle” wait for few minutes and finally Run “Software updates deployment evaluation cycle”
This post might not be the perfect guide but will give an idea on what all is involved to setup Automatic Deployment Rule.
If you have questions please post in comments.
Hope it helps.